Oct 24, 2024 16:00:00

The existence of 'Locate X,' a service that tracks smartphone locations around the world by exploiting Google and Apple's advertising identifiers, has been revealed

Atlas Data Privacy Corp , a data privacy organization based in New Jersey, USA, has filed a lawsuit against Babel Street, a technology company that offers a location tracking service called Locate X. Locate X is a service that tracks people's locations by exploiting advertising identifiers built into Apple and Google smartphones, and Babel Street sells Locate X to individual customers as well as government agencies.

The Global Surveillance Free-for-All in Mobile Ad Data – Krebs on Security
https://krebsonsecurity.com/2024/10/the-global-surveillance-free-for-all-in-mobile-ad-data/

Inside the US Government-Bought Tool That Can Track Phones at Abortion Clinics
https://www.404media.co/inside-the-us-government-bought-tool-that-can-track-phones-at-abortion-clinics/

An investigation exposes data brokers using ads to help track almost any phone - The Verge
https://www.theverge.com/2024/10/23/24277679/atlas-privacy-babel-street-data-brokers-locate-x-tracking

Atlas Data Privacy Corp is a company that develops personal information deletion services and has filed lawsuits against 151 data brokers to date. In October 2024, Atlas Data Privacy Corp filed a similar (PDF file) lawsuit against a company called Babel Street. In this (PDF file) lawsuit , Babel Street's service Locate X was alleged to have violated the law, and Atlas Data Privacy Corp hired a private investigator to investigate Locate X. Security blog Krebs on Security and overseas media 404 Media confirmed the screen recording of the private investigator using the trial version of Locate X.

When the private investigator contacted Babel Street to investigate, the salesperson explained that Babel Street only provides services to the government or government contractors. However, when the private investigator said, 'I intend to take on government contract work in the future,' the salesperson replied, 'That's fine. I won't actually check,' and offered a trial version of Locate X, which is not supposed to be available to private citizens.

In the trial version of Locate X, the app was able to draw a digital polygon around almost any location in the world and then see the history of devices that had been in and out of the designated area over the past few days, including religious institutions such as mosques and synagogues, courtrooms, and private facilities such as abortion clinics. It was also able to track individual mobile device users using advertising identifiers built into Apple and Google mobile devices.

The image below shows the advertising identifiers of mobile devices that visited a mosque in Michigan using Locate X, with red dots. You can see that a huge amount of data can be collected.

Using a trial version of Locate X, a private investigator was able to identify the mobile devices of jurors in a New Jersey courthouse that day by designating a parking lot reserved for jurors. In addition, the app was able to track potential jurors to their homes using advertising identifiers, and it also provided the ability to pinpoint where targets sleep each night to within a few meters.

The complaint describes the cases of Scott Maloney, a New Jersey police officer, and his wife, Justina Maloney, who is also a police officer, as victims of Locate X's privacy violations. After

a video of them responding to a citizen went viral, their addresses and phone numbers were exposed on social media, and they began receiving death threats. In one case, a masked and armed man was actually arrested near their home.

A private investigator tried to use Locate X to locate the two men's iPhones, but was unable to find Scott's iPhone. However, he was able to identify Justina's iPhone and track her daily activities . The only app on Justina's iPhone that used location services was the Macy's app.

In response to inquiries from Atlas Data Privacy Corp, Macy's said, 'We do not store customer location information. We share geolocation data with a limited number of partners who help us deliver this enhanced app experience.' This case shows that location information collected by various apps is widely shared and ultimately ends up in the hands of data brokers. The mobile device location data used by Babel Street for Locate X is believed to have been obtained from Venntel, a private phone tracking company.

An advertising identifier is an identifier assigned to each mobile device and is used to deliver targeted advertising to individual users. The data source of the advertising identifier is various apps that use location information, and the advertising identifier and location data are also sent when the device accesses a website that displays advertisements. This allows advertisers to deliver advertisements to targeted consumers in real time, but some marketing companies sell this data to non-advertisers and use it to track location information.

In response to a request for comment, Google said it does not send real-time bid requests to Babel Street or share precise location data with it. Bid requests are information about ad space that is sent to ad exchanges that buy and sell ad space, including the user's location. It added that its policies prohibit the sale of real-time bidding data or its use for purposes other than advertising.

Apple also said in a statement that location services on Apple devices are turned off by default and that apps and websites must ask permission to use location information. An Apple spokesperson said, 'We believe privacy is a fundamental human right, and we build privacy protections into each of our products and services to give users control over their data.'